Hi

I am getting below Error, when i execute a store procedure.

2015 02 13 08:28:41#+00#ERROR#com.sap.pia.producer.GetStoryDetails##I309309#http-bio-8041-exec-5#na#b7a7649ff#testing#web#b7a7649ff#Exception message [SAP DBTech JDBC: [2048]: column store error: search table error: [2620] executor: plan operation failed;Can not insert data from temp table "I309309:HANALYTIC_ITEM_OUT_54BE6CA88DB610E0E10000000A6C985F (-1)" into table ""SAP_PIA_USAGECLOUD"."GG_STORY_DATA""]

Thanks

Deepak

Colleagues, hello.

I got access to SAP HANA Cloud Platform and everything was OK during my research.

I made CV and tried to activate it. Here I got a trouble.

My user hasn't necessary authorization.

I read about HCP  stored procedures user but it still isn't clear for me how I can add priviligies to actiovation this calculation view.

Could somebody help me with this issue and provide comparing between HCP stored procedures and usual GRANT command?

When I try to install HANA Cloud Platform Tools into my HANA Dev Studio throgh link <https://community.wdf.sap.corp/groups/juno>, I am getting the following error:

Cannot complete the install because one or more required items could not be found.

  Software being installed: SAPUI5 ABAP Repository Team Provider (Developer Edition) 1.14.6 (com.sap.ide.ui5.team.feature.feature.group 1.14.6)

  Missing requirement: ABAP Communication Framework 2.16.0 (com.sap.adt.fwk.ci.feature.group 2.16.0) requires 'org.eclipse.mylyn.commons.feature.group [3.6.0,4.0.0)' but it could not be found

  Cannot satisfy dependency:

    From: SAPUI5 ABAP Repository Team Provider 1.14.6 (com.sap.ide.ui5.team.feature.external.feature.group 1.14.6)

    To: com.sap.adt.fwk.ci.feature.group 2.0.0

  Cannot satisfy dependency:

    From: SAPUI5 ABAP Repository Team Provider (Developer Edition) 1.14.6 (com.sap.ide.ui5.team.feature.feature.group 1.14.6)

    To: com.sap.ide.ui5.team.feature.external.feature.group [1.14.6]

How to resolve it? Any points would be of great help.

Regards,

Akhil

Hi, we are currently working on an SAP internal project which is actually an App deployed to HCP. We are delegating the user authentification to SAP ID Services and to be exact we are using FORM Authentication. In the App, we have links to SAP(internal) Jam(https://jam4.sapjam.com/).

In most cases our scenario works. However, if we use Firefox to access our App, since it does not take the SAP SSO certificate automatically(for Chrome you get a pop up to select your SAP SSO certificate), we are prompted to enter the SCN user and password(auth. 1). This is so far ok. However, after authentication and after I have logged in the App, I click the SAP Jam link inside to App, I am again prompted to enter my SCN user and password(auth. 2). This is not so nice.

I know, the first authentification(auth. 1) checks only if the user has a valid scn user and password and the second time(auth. 2), since I am accessing an SAP internal Jam group, I am or at least should be checked agains my SAP company internal credentials.

My questions:

1. during the second authentification(auth. 2), why it works, when I enter my SCN credentials not my SAP company internal credentials? I have different password for my SCN credentials and my SAP credentials. Maybe it is because they have the same ID(my D-number?)?

2. how can I get rid of the second authentification(auth. 2)? We have application logic already in our App to check, that the users of our App are SAP internals(D-number or I-number), so it would be really nice that somehow SAP ID Services can provide some API to do a silent login, like the scenario in my question 1.

Really appreciate your help. Thank you.

Regards, Yashu

hi Experts,

To  Install the SAP HANA Cloud Platform Tools steps followed as

From the Eclipse menu, choose Help> Install New Software...

For Eclipse Luna (4.4), add the URL: https://tools.hana.ondemand.com/luna.

then packages are listed from as mentioned below

ABAP Development Tools for SAP Netweaver

Modeling Tools for SAP BW powered by SAP HANA

SAP HANA Cloud Platform Tools

SAP HANA Tools

UI Development Toolkit for HTML5

from the above list we are selecting and installing HANA Cloud Platform Tools and HANA Tools

Are we have any Alternate approach/method to download and install the HANA Cloud Platform tools ? to install in Eclipse Java Enterprise Edition and HANA Studio and also if not required or re-installation means how we can able to easily uninstall the same

kindly provide your inputs for the same.

It all started last year when I replaced my old NAS drive with a new, more powerful device. I chose the single board computer Cubietruck, which is the third generation of the Cubieboard, a slightly more powerful device than the Raspberry Pi. With its SATA plug, the Cubietruck can nicely serve as a central home media server, which was so far the responsibility of my old NAS. With the new device, I also wanted to use it implementing a home automation solution. One of the most important use cases for me is (remote mobile) control of thermostats, but the final solution should also be extendable to control other smart "things", such as blinds, an outdoor video camera, my internet router etc.

The smart things dilemma

The market for "smart" things such as WIFI-enabled lamps, radio-controlled thermostats or security cameras is huge, and you get easily lost when starting to compare the many solutions with each other. Most of them work with proprietary communication protocols such as z-wave or EnOcean, and bring their own mobile app to control them. This makes it hard to let the smart things talk to each other, and the user becomes the integration point between them. This certainly contradicts the idea of a truly automated home with little or no manual interaction of the user. Shades and blinds should be opened and closed automatically as a function of the wind and light intensity, and a smoke alarm detecting smoke should cause all lights in the house to blink, send an alarm message via a push notification and automatically alert the fire department. All of these scenarios require integrated, not isolated, devices.

Enough on the challenges - let's talk about solutions! Each home automation solution follows a common architecture: Your smart devices communicate with a central control unit to which they are connected to, either by wire, WIFI or radio frequency. This unit is a combined hardware and software solution to receive the events sent by your sensor devices (such as the temperature measured by your thermostats) which can trigger actions on your actors. Usually you define those actions as a set of rules in a domain-specific programming language of your central control unit. Almost all those units on the market come with their own, proprietary programming model and do not allow to integrate devices from other vendors. This can drive you into a costly dependency upon the manufacturer of the unit.

openHAB to the rescue!

This is where I came across a wonderful piece of technology: The Open Home Automation Bus, or openHAB. OpenHAB is an open source project under the Eclipse Public License (EPL) and has a very active community. It lets you implement a vendor-independent central control unit on a low-cost single board computer with a broad support for many smart devices out-of-the box. At the same time, it is open for your own extensions. As the underlying framework, openHAB uses the Equinox OSGi runtime, which allows you to easily add or remove features as OSGi bundles from the openHAB runtime. The openHAB "Add-On" download package contains already a large number of bundles, called OpenHAB bindings, from which you can choose the ones you need for your home devices. For example, there is a KNX binding for widely used KNX bus, as well as bindings for the radio-controlled FS20 and HomeMatic systems, the Philips Hue LED lighting, and the FritzBox router.

Bindings in openHAB transform the device-specific protocols and messages into a common semantic model and connects them to openHAB's software bus. However, bindings are not limited to (hardware) sensors and actors. There are also bindings to integrate cloud services, e.g. to collect current and forecast weather data from different provides. Each object managed by openHAB is assigned to a specific binding and registered on the bus as an item. Items can be of different types such as a simple string or number, a dimmer, or an on/off switch. Items can receive and send events on the bus. To make the items accessible to frontends such as a Web Browser or the free native mobile app of the open source project, openHAB supports the concept of a sitemap which collects and create the elements of a user interface.

Based on this vendor-independent object model, events received or sent by the items can trigger actions which are executed by openHAB's rule engine. An action in openHAB does the opposite of a binding: It is used by a rule to translate a command sent on the bus into the device- or service-specific messages. The following diagram shows how bindings, items, sitemaps, actions and rules relate to each other in openHAB's domain model.

Back to the scenario

Installing openHAB on my Cubietruck running Debian Linux was a matter of a few minutes. All you need is a Java VM and off you go! Next I compared different products for radio-controlled thermostats which allowed me to replace my old ones without any hassle. I selected a product from HomeMatic, which is offered at a reasonable price. The thermostats are powered with a battery and equipped with an RF module for the 868Mhz band to send and receive commands using the Bidirectional Communication System (BidCos) protocol.

To turn my NAS into a fully functional central control unit for home automation, I also needed micro controller to communicate with my radio-controlled thermostats. This task is taken over by a CC1101 USB Lite module, or short CUL. The CUL is a USB dongle which can be flashed with the CUL firmware from culfw.de, another open source project in the home automation space. After doing so, the CUL supports a number of protocols for several home automation system, such as BidCos. Here is a photo of my CUL plugged into the Cubietruck's USB port:

Connecting the sensors to openHAB

Connecting the openHAB instance running on the Cubietruck to the radio-controlled thermostats in my living room, the kitchen and the bath is really simple. In my openHAB site's item configuration file, I set the items as number values which display the actual temperature and set the target temperature on the three thermostats as follows:

Number Thermostat_Livingroom_Target "Living Room [%.1f °C]" { homematic="address=<hardware id>,channel=4,parameter=SET_TEMPERATURE,forceUpdate=tr
Number Thermostat_Livingroom_Actual "Living Room [%.1f °C]" { homematic="address=<hardware  id>, channel=4, parameter=ACTUAL_TEMPERATURE" }
Number Thermostat_Kitchen_Target "Kitchen [%.1f °C]" { homematic="address=<hardware id>,channel=4,parameter=SET_TEMPERATURE,forceUpdate=true" }
Number Thermostat_Kitchen_Actual "Kitchen [%.1f °C]" { homematic="address=<hardware id>, channel=4, parameter=ACTUAL_TEMPERATURE" }
Number Thermostat_Bath_Target "Bath [%.1f °C]" { homematic="address=<hardware id>,channel=4,parameter=SET_TEMPERATURE,forceUpdate=true" }
Number Thermostat_Bath_Actual "Bath [%.1f °C]" { homematic="address=<hardware id>, channel=4, parameter=ACTUAL_TEMPERATURE" }

The items are bound to the HomeMatic binding provided by openHAB. Each of them is configured with the corresponding thermostat's unique hardware id (e.g. KEQ0048285) and a datapoint (parameter) which is basically the command sent to the device. All of those configuration settings are product-specific and translated by the binding into the proprietary messages of the BidCos protocol.

Adding the items to a sitemap configuration file in openHAB makes them accessible via the openHAB mobile app or a web browser. The following is an excerpt from my sitemap file for exposing the thermostat in the living room in the UI:

sitemap homezone label="Homezone"
{     Frame {          Text item=Thermostat_Livingroom_Actual {          Frame {                    Setpoint item=Thermostat_Livingroom_Target step=0.5 maxValue=30               }          }     }     ...

A Text element is used to display the actual temperature measured by the item with command (parameter) ACTUAL_TEMPERATURE. The element Setpoint renders to a modifiable control which has an up- and down-arrow button to set the target temperature of the thermostat (with a maximum value of 30 degree celsius).

Basically with the few steps from above, you can get an open and extensible platform for you home automation scenarios up and running with a budget of less than 160 € for the central control unit. The following video shows the free openHAB mobile application in action with the current solution:

Bringing SAP HANA Cloud Platform into the picture

Now with being able to measure and control the temperature in the rooms of my house, the next step for me was to have a sensor logging application which offers an API to store and retrieve the temperature data from the thermostats and keeps a history of it. Although single board computers like the Cubietruck or the new Raspberry Pi 2 Model Bcontinuously increase their storage and processing power, they still remain a bad place to store and analyze (big) data. For this task in an home automation or Internet-of-Things scenario, a Cloud-based service would be a far better option.

This is where SAP HANA Cloud Platform (HCP) comes into the picture: With a UI5-based application on HCP similar to Rui'sFish Import and Export sample, I want to be able to provide a overview of all sensors connected to HCP with a diagram for each of my sensor's historical data.

This requires my openHAB-connected thermostats (or any other types of sensors in my house) to continuously send their measured temperature values to HCP. The cloud application should provide an easy to consume, HTTP-based REST API, which will be used by a new openHAB extension for SAP HCP.

Securing the API

A common requirement in Cloud-enabled IoT scenarios is that the sensors will send their data to the Cloud. Besides confidentiality of the data, care must be taken that only authorized devices are allowed to send the data. To fulfill this requirements for proper device authorization in an IoT scenario, the following boundary conditions have to be considered before selecting a particular security mechanism:

• Sensors are not users: Protecting the API on HCP with a username and password sounds like a quick win: Easy to implement on the consumer and provider side, and it works with RESTful services using the HTTP Basic Authentication Scheme. However, passwords need to set according to a policy defined by the service managing the user accounts (aka "Identity Provider", IdP), and they usually expire after some time. Real users know how to choose a compliant password and how to reset it, but sensors don't! Thus, a credential which better fits to the nature of a device should be chosen to protect the API on HCP side.
• Limited processing power of the sensors and central control unit: Security mechanisms which require strong cryptographic processing capabilities usually do not fit very well in the overall picture of a home automation / IoT scenario. Thus, a lightweight but still secure authentication and authorization mechanism should be chosen.

Considering those boundary conditions, let's take a look at the supported authentication mechanisms in HCP:

• Basic Authentication: As stated above, username and password-based authentication works well for real users, but not for devices. A common workaround taken in situations where there is no alternative to password-based authentication is to introduce a "technical" or "system" user. Those special user accounts are for example not allowed to authenticate via the logon UI, and are not forced to renew their password every 6 months or so. By default, validation of password credentials on HCP is taken care by SAP ID Service (SAP's public Identity Provider), which does not support such type of technical user accounts. You may want to use your own user store (LDAP directory) on HCP and manage the special accounts there, but this would certainly require more infrastructure on the client side, and still not solve the issue of the mismatch between the authenticated entity (a device, sensor) and the credential.
• Security Assertion Markup Language (SAML): SAML is actually not an authentication mechanism, but a Single Sign-On (SSO) protocol, designed for browser-based (web) scenarios. It requires an IdP which authenticates the user whatever mechanism the IdP's considers to be secure enough. It then sends back a response to the application (aka Service Provider, SP) the user desires to log in with an XML-token, the SAML Assertion. The SAML protocol flow relies on a web browser which acts as the relay in the protocol between the IdP and SP to support interactive log-on at the IdP, render HTML in the response from the IdP and execute JavaScript to auto-submit the response back to the SP. From this perspective, SAML does not fit at all into the picture of a sensor authenticating an API call. We may expect from the central control unit or even the sensor itself a basic support for acting as a web client, supporting HTTP and (possibly) TLS/SSL protocols, but certainly no HTML rendering or JavaScript capabilities.
• Client Certificates: Although an X.509 certificate is a much more generic credential than a password and thus may not only authenticate users, but also systems, devices etc., it still remains a relatively heavyweight credential. First, the lifecycle of X.509 certificates is usually managed by a complex infrastructure called a "Public Key Infrastructure", or short PKI. Main components of the PKI are the Registration Authority (RA) for verifying the identity of the certificate's owner, and the Certificate Authority (CA), responsible for issuing the certificates, maintaining revocation lists etc. Second, using X.509 certificates for client-side authentication involves asymmetric data encryption, which can be a costly operation based on key length and other parameters. Again, a sensor or central control unit may not be the ideal place for such type of operations.
• Open Authorization Framework (OAuth): OAuth has emerged as a de-facto standard for protecting RESTful APIs. It uses a lightweight approach to authenticate the API consumer. The credential used by the consumer to authenticate the API call is called the access token, which, in its simplest format, is just a opaque string representing an authorization issued to the consumer. For obtaining the access token, OAuth support a number of mechanisms, depending on the consumers (or OAuth client's) capabilities. Although there may still be even more simpler approaches to get a lightweight but still secure credential to the devices in an IoT scenario, OAuth seems to be very good fit here. So let's investigate this option in more depth on how OAuth on HCP can be used in my home automation scenario.

Authorizing the thermostats with OAuth

... is done in part 2 of this blog! Part 1 so far covered most of the theoretical background we need : 

• openHAB has been introduced as a flexible, extendable and open platform for your home automation needs
• We looked at the steps to connect "Things" or sensors such as smart thermostats to an openHAB instance
• We spend some thoughts on how to use HCP to store, visualize and analyze the data generated by those sensors
• And finally, we looked at the various options available on HCP to protect our service

Continue reading with part II here.

At the end of part 1 of this blog, the decision was taken to use the Open Authorization Framework (OAuth) for protecting the API exposed by the application on HCP. By obtaining an access token from the OAuth 2.0 Authorization Server (AS) on HCP, my sensors (thermostats) connected to the openHAB instance running on my single board computer get authorized to consume the API and store their measured temperature values in the Cloud. So let's get started!

Authorizing the thermostats with OAuth

In general, obtaining an OAuth access token from HCP's AS follows the OAuth 2.0 specification's authorization code grant flow:

1. The account administrator in the HCP account must register an OAuth client (the API consumer, in our scenario the openHAB instance acting on behalf of the sensors connected to it) in the HCP Cloud Cockpit. This requires to specify a "Redirect URI" for the client which is used in step 4 of this process.
2. The OAuth client directs the user's agent (i.e. the web browser) to the AS authorization endpoint, which requires the user to authenticate with their HCP account's trusted identity provider (SAP ID Service, the customer's SAP Cloud Identity tenant, or their own identity provider).
3. Upon successful login with the identity provider (IdP), the user is asked by the AS to confirm that the OAuth client requesting a token will be allowed to act on his or her behalf, optionally under a specific scope (e.g. "send sensor data" in this IoT scenario)
4. If the user confirmed the previous step, the AS uses the URI registered in step 1 to redirect the user's web browser back to the OAuth client. The HTTP redirect URL includes a one-time authorization code generated by the AS.
5. The OAuth client request an OAuth access token from the AS token endpoint with the authorization code obtained in the previous step.
6. The AS validates the authorization code, issues a new access token, and sends it back to OAuth client. The AS associates the token with the user who confirmed the OAuth client's authorization request in step 3.
7. By sending the access token with the API call in the HTTP Authorization header according to the OAuth specification, the OAuth client can make an authorized call to the API protected with OAuth on HCP.

OAuth 2.0 improves the overall security of the scenario by avoiding to pass the user's confidential username and password to the OAuth client. Using OAuth, the user only shares their credentials with the identity provider (IdP). Although the OAuth client still has to take care for secure storage of the issued access token in step 6, the potential damage of a stolen token compared to a stolen password is considerably lower. The access token only authorizes an OAuth client to call a single API endpoint on behalf of the user. A username and password has a much broader scope - it may allow access to a large number of web sites and services.

Using the OAuth 2.0 Authorization Code Grant Flow in the IoT scenario

Looking at steps 2, 3 and 4 above shows that the authorization code grant flow relies on the user's web browser to obtain the authorization code from the AS and redirect back to the OAuth Client. Starting off this process from the central control unit won't work - it is a headless device with no web browser installed on it. Therefore we make use of special feature in HCP's OAuth AS, which facilitates the authorization of an OAuth Client on a mobile device using a QR code.

Here is how we will change the above process to authorize the sensors in our IoT scenario:

Step 1: OAuth Client Registration

We'll register OAuth clients in the Cloud Cockpit for each sensor because we want to authorize them individually. So in our case, we'll have three OAuth clients: "sensor1" for the thermostat in the living room, "sensor2" for the kitchen's thermostat, and "sensor3" for the bath's thermostat. All of them are configured with the same redirect URI, which will only play a minor role in the following steps. Please note that the OAuth clients must be assigned to a subscription in the account, which is the UI5 application used later to display the temperature values. So this step assumes that the application is already deployed in the account.

Optionally one can register application-specific OAuth scopes under the application's submenu folder in the Cockpit:

Step 2: Obtaining the Authorization Code with a QR Code from the mobile device

Instead of starting the Authorization Code Grant Flow from the OAuth Client launching a web browser which wouldn't be possible from my openHAB instance running on the headless single board computer, we stay in the Cloud Cockpit and open another browser window to access HCP's OAuth AS End User UI.

This requires to login to the OAuth AS, which is done in my case using an SCI tenant:

With a click on "Code" in the OAuth AS UI you can generate a new authorization code for a selected OAuth client. To simplify the transfer of the authorization code to the OAuth Client which needs it to request the access token, a QR code for the new authorization code will be generated as well.

Having a QR code scanner installed on my mobile device from where I also want to remotely control my thermostats, I can easily scan the generated code and store it in my smart phone's clipboard.

Now comes the tricky part: How should the scanned code be passed to openHAB so that it can request the access token from HCP's OAuth AS in order to persist the thermostat's data in the Cloud? All I would need is an input field on the thermostat's element in openHAB's mobile app UI which allows me to paste the authorization code. openHAB would have to take it from there and use it to send the access token request and store it at a secure place on the local (my Cubietruck's) file system. Unfortunately, input fields are not in openHAB's supported list of standard UI elements for a sitemap. Fortunately, there is an WebViewelement which allows you to refer to a URL of your choice and display the content in a frame within the mobile UI. If this URL will point to a simple Java servlet running on openHAB generating a label and input field to paste the code with a button to submit it, we are almost done!

Step 3: Extending openHAB to capture the authorization code and request the access token from HCP

So this leaves us with extending openHAB with a new binding implementing the servlet to capture the scanned authorization code from the clipboard and request the access token with it. A good starting point for developing a new openHAB binding are these instructions on the OpenHAB wiki. With the OSGi bundle skeleton generated by Maven for my new "AuthzCode" binding, I first add a Servlet class to it:

package org.openhab.binding.authzcode;
...
public class WebViewServlet extends HttpServlet {
private static final String SERVLET_NAME = "/webview";    ....
/**     * Activates the webview servlet.     */    protected void activate() {        try {            logger.debug("Starting up authzcode webview servlet at " + SERVLET_NAME);            Hashtable<String, String> props = new Hashtable<String, String>();            httpService.registerServlet(SERVLET_NAME, this, props, createHttpContext());            bundleContext = FrameworkUtil.getBundle(this.getClass()).getBundleContext();            if (bundleContext != null) {                ServiceReference<?> serviceReference = bundleContext.getServiceReference(AuthzCodeBindingProvider.class.getName());                if (serviceReference != null) {                    bindingprovider = (AuthzCodeBindingProvider) bundleContext.getService(serviceReference);                } else                    logger.error("BindungProvider is null");                // get all items for this binding                for (String itemName : bindingprovider.getItemNames()) {                    Item sapHcpItem = itemUIRegistry.getItem(itemName);                    logger.debug("Found item: " + sapHcpItem.getName());                }            } else                logger.error("bundleContext is null");        } catch (Exception ex) {            logger.error("Error during saphcp-webview servlet startup", ex);        }    }    /**     * Deactivates the webview servlet.     */    protected void deactivate() {        httpService.unregister(SERVLET_NAME);    }    @Override    protected void doGet(HttpServletRequest request,            HttpServletResponse response) throws ServletException, IOException {        logger.debug("Received WebView Request");        String action = request.getParameter("action");        String request_clientid = request.getParameter("clientid");        if (StringUtils.isNotBlank(request_clientid)) {            this.clientid = request_clientid;        }        logger.debug("clientid set to: "  + clientid);        if (StringUtils.isNotBlank(action) && action.equalsIgnoreCase("sendcode")) {            logger.debug("Executing action: " + action);            String code = request.getParameter("code");            // create command (string)            String commandString = "authorize " + clientid + " " + code;            StringType command = new StringType(commandString);            if (bindingprovider.getItemNames() != null) {                // send command synchronously                String firstItemName = bindingprovider.getItemNames().iterator().next();                eventPublisher.sendCommand(firstItemName, command);            } else {                logger.warn("No item with authzcode binding found");            }        }        response.getWriter().println(buildFormString());    }    private String buildFormString() {        String result = "<html>";        result += "<head><style>p {font-family:verdana;}</style></head>";        result += "<body><form action='./webview' method='get'>";        result += "<p>Code <input type='text' name='code'>";        result += "<input type='hidden' name='action' value='sendcode'>";        result += "<input type='submit' value='Submit'></p></form>";        // update state        // check if file with token exists        String accessToken;        accessToken = AuthzCodeCommons.loadToken(this.clientid);        if (StringUtils.isBlank(accessToken)) {            result += buildAccessTokenFailed();               } else {            result += buildAuthorizedString();        }        result += "</body></html>";        return result;    }    private String buildAuthorizedString() {        return "<p><span style=\"color:green\">Sensor is authorized!</span></p>";    }    private String buildAccessTokenFailed() {        return "<p><span style=\"color:red\">Sensor is not authorized!</span></p>";    }
}

If no request parameter is sent, the doGet method generates a simple HTML form which shows an input field to paste the authorization code in. The form also informs the user if there is already an access token stored for the current item (sensor) or not. By pressing the Submit button, a request is sent to the servlet with two request parameters: The action to send the received code to HCP, and the id of the OAuth Client (thermostat) for which the access token should be requestd. In this case, the WebViewServlet sends a command "authorize" via its EventPublisher instance to the openHAB bus and passes the client id and authorization code with it (lines 60-67).

To launch the servlet when the bundle get loaded and activated, a new component description (webviewservlet.xml) for the servlet is added in the OSGI-INF folder of the bundle:

<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" activate="activate" deactivate="deactivate" name="org.openhab.authzcode">   <implementation class="org.openhab.binding.authzcode.WebViewServlet"/>   <reference bind="setHttpService" cardinality="1..1" interface="org.osgi.service.http.HttpService" name="HttpService" policy="dynamic" unbind="unsetHttpService"/>   <reference bind="setItemUIRegistry" cardinality="1..1" interface="org.openhab.ui.items.ItemUIRegistry" name="ItemUIRegistry" policy="dynamic" unbind="unsetItemUIRegistry"/>   <reference bind="setEventPublisher" cardinality="1..1"  interface="org.openhab.core.events.EventPublisher" name="EventPublisher"  policy="dynamic" unbind="unsetEventPublisher" /></scr:component>

This component description must be referenced in the bundle's MANIFEST.MF file via the Service-Component property:

Service-Component: OSGI-INF/binding.xml, OSGI-INF/genericbindingprovider.xml, OSGI-INF/webviewservlet.xml

Now it is up to the AuthzCode binding's main component, the Maven-generated AuthzCodeBinding class, to execute the "authorize" command and request the access token with the passed code and client (sensor) id from HCP. This is done by implementing the internalReceiveCommand method, which uses an Apache Commons HTTPClient to create a POST request to the HCP OAuth AS token endpoint according to the OAuth 2.0 specification. In case of a successful access token request, the response is a JSON formattet string containing the access token which is finally stored on the openHAB instance.

public class AuthzCodeBinding extends AbstractBinding<AuthzCodeBindingProvider> implements ManagedService {
...  @Override    protected void internalReceiveCommand(String itemName, Command command) {        // the code being executed when a command was sent on the openHAB        // event bus goes here. This method is only called if one of the         // BindingProviders provide a binding for the given 'itemName'.        // process command        if (command instanceof StringType) {            StringType t = (StringType) command;            logger.debug("internalReceiveCommand() is called with command \"" + t + "\"");            String[] commandParts = StringUtils.split(t.toString());            if (commandParts[0].equals("authorize")) {                String clientId = commandParts[1];                String authzCode = commandParts[2];                this.authorize(clientId, authzCode);            }        }    }            private void authorize(String clientId, String authzCode) {        logger.debug("authorize() method is called with value " + authzCode);           HttpClient httpClient = new HttpClient();             if (this.proxyHost != null) {            httpClient.getHostConfiguration().setProxy(this.proxyHost, new Integer(this.proxyPort).intValue());        }            PostMethod httpPost = new PostMethod(this.tokenendpoint);        httpPost.addRequestHeader("content-type", "application/x-www-form-urlencoded");        httpPost.addParameter("client_id", clientId);        httpPost.addParameter("grant_type", "authorization_code");        httpPost.addParameter("code", authzCode);        httpPost.addParameter("redirect_uri", this.redirectUri);                        BufferedReader br = null;                try{            int returnCode = httpClient.executeMethod(httpPost);            if(returnCode != HttpStatus.SC_OK) {              // still consume the response body              String errorResponseBody = httpPost.getResponseBodyAsString();              logger.error("Failed to request access Token" + errorResponseBody);            } else {                // Read the response body.                byte[] responseBody = httpPost.getResponseBody();                // parse response for token                Object accessTokenResponse = JSONValue.parse(new String(responseBody));                JSONObject array=(JSONObject)accessTokenResponse;                // store access token                AuthzCodeCommons.saveToken(clientId, (String)array.get("access_token"));            }          } catch (Exception e) {            logger.error("Failed to store access token for client " + clientId + ": " + e.getMessage());          } finally {            httpPost.releaseConnection();            if(br != null) try { br.close(); } catch (Exception fe) {}                      }    }
...

Static configuration parameters of the AuthzCode binding such as the HCP OAuth AS token URL or optional HTTP proxy settings if openHAB is operated behind a firewall can be set in openHAB's central configuration (openhab.cfg), which is read when the system is started and the bindings are initialized.

Adding the new items for authorizing the three thermostats starts with defining them in openHAB's items configuration file:

...
String Authz_Thermostat_Kitchen {authzcode}
String Authz_Thermostat_Livingroom {authzcode}
String Authz_Thermostat_Bath {authzcode}

To expose them as a WebView in openHAB's mobile app, the new items are referenced in the sitemap configuration file from part 1 of this blog as follows:

sitemap homezone label="Homezone"
{    Frame {        Text item=Thermostat_Livingroom_Actual {            Frame {                Setpoint item=Thermostat_Livingroom_Target step=0.5 maxValue=28                Webview item=Authz_Thermostat_Livingroom url="http://<openHAB host>:<port>/webview?clientid=sensor1" height=2            }        }    }
...

From the url parameter of the WebView element which points to the binding's servlet, the sensor's OAuth client ID is passed as a request parameter (clientid) to the binding.

Step 4: Using the access token to persist sensor data on HCP

With the access token in place to authorize a sensor to persist its data on HCP, we need a component on openHAB to actually call our API whenever there is new temperature value captured by a thermostat and sent on the event bus. Like with our new binding, there is no such component in openHAB's Add-On package which can do this out-of-the box. Since this sounds like a reusable component which may be useful for any kind of sensor data (not just my thermostat's temperature values) to persist on HCP, I created a new openHAB action (bundle) for it, which I called "sapHCP".

A skeleton bundle for a new openHAB action is built almost the same way as the binding before using a Maven archetype. The action's static method sendRequest will be called by openHAB  via a rule which is triggered by an sensor value update event on the bus. More on this in a minute! One can also pass parameters when invoking an action's static method. In case of the sapHCP action, those are the actual sensor (temperature) value to store on HCP, the unit of the value (e.g. Celsius), the sensor type (e.g. Thermostat), an optional description and the sensor's OAuth Client ID.

package org.openhab.action.saphcp.internal;
...
public class SapHCP {    ...    public static boolean sendRequest(String sensorValue, String unit, String type, String description, String clientId) {        ...        // check for file saphcp.token in etc directory        String accessToken = AuthzCodeCommons.loadToken(clientId);        if (StringUtils.isNotEmpty(accessToken)) {            //     found the token            logger.debug("Found token for client with id " + clientId);            //  post new temperature value to all HCP items            HttpClient httpClient = new HttpClient();            if (SapHCP.defaultProxyHost != null && SapHCP.defaultProxyPort != null) {                httpClient.getHostConfiguration().setProxy(SapHCP.defaultProxyHost, new Integer(SapHCP.defaultProxyPort).intValue());            }                   PostMethod httpPost = new PostMethod(SapHCP.defaultAPIUrl);            // add access token as authorization header            httpPost.addRequestHeader("Authorization", "Bearer " + accessToken);            JSONObject newSensorValue=new JSONObject();            newSensorValue.put("value", sensorValue);            newSensorValue.put("sensorId", clientId);            newSensorValue.put("unit", unit);            newSensorValue.put("type", type);            newSensorValue.put("description", description);            try {                StringRequestEntity requestBody = new StringRequestEntity(newSensorValue.toJSONString(), "application/json", "UTF-8");                httpPost.setRequestEntity(requestBody);                       BufferedReader br = null;                       try                {                    int returnCode = httpClient.executeMethod(httpPost);                    // read response                    if(returnCode != HttpStatus.SC_OK) {                        // still consume the response body                        String errorResponseBody = httpPost.getResponseBodyAsString();                        logger.error("Failed to send new temperature value: " + errorResponseBody);                      } else {                        // Read the response body.                        byte[] responseBody = httpPost.getResponseBody();                        // parse response                        logger.debug("New temperature value stored. ID: " + new String(responseBody));                    }                } catch (Exception e) {                    logger.error("Unknown Host Exception: " + e.getMessage());                } finally {                      httpPost.releaseConnection();                      if(br != null) try { br.close(); } catch (Exception fe) {}                }            } catch (UnsupportedEncodingException uee) {                logger.error("JSON encoding error: " + uee.getMessage());            }        } else {            logger.warn("No Access token found");        }        return true;    }
}

Using the OAuth client ID parameter as an search index, the sapHCP action can retrieve the sensor's OAuth access token which has been requested in the previous step with the AuthzCode binding and stored in a local token store. If an access token was found for the sensor (client), it is passed with the HTTP authorization header (line 24) in the API call to HCP. The API on HCP expects a flat JSON structure with the values passed as parameters to the sapHCP action.

Step 5: Triggering the sapHCP action from an openHAB rule

Besides the already mentioned items and sitemap configuration files in part 1 of this blog, actions triggered by events on openHAB's software bus can be defined in a rules file to automate processes. The rules for my home automation scenario are quite simple: Whenever a thermostat sends an update on the actual temperature (item), an sapHCP action should be triggered to send the new sensor value to HCP.

import org.openhab.core.library.types.*
import org.openhab.model.script.actions.*
import org.openhab.action.saphcp.*
rule "Send Living Room updates to HCP"
when    Item Thermostat_Livingroom_Actual received update
then    var value = Thermostat_Livingroom_Actual.state.toString    logInfo("sapHCP","Sensor 1: " + value)    sendRequest(value, "C", "Thermostat", "Living Room", "sensor1")
end
...

The above excerpt from the rules file show the descriptive rule definition language in openHAB: In case the item representing the actual temperature in the living room receives a temperature update, its current value is stored in a local variable and send to HCP using the sapHCP action's sendRequest method.

Step 6: Protecting the API on HCP with OAuth

The last remaining piece of the puzzle is the UI5 application running on HCP which exposes the API consumed by the openHAB sapHCP action. Following the declarative approach for protecting the API using OAuth results in the following filter configuration in the application's web.xml deployment descriptor:

...<filter>    <display-name>Sensor OAuth Protection</display-name>    <filter-name>PersistDataScopeFilter</filter-name>    <filter-class>com.sap.cloud.security.oauth2.OAuthAuthorizationFilter</filter-class>    <init-param>      <param-name>scope</param-name>      <param-value>persist-data</param-value>    </init-param>    <init-param>      <param-name>http-method</param-name>      <param-value>post</param-value>    </init-param>    <init-param>      <param-name>no-session</param-name>      <param-value>true</param-value>    </init-param>  </filter>  <filter-mapping>    <filter-name>PersistDataScopeFilter</filter-name>    <url-pattern>/api/v1</url-pattern>  </filter-mapping>
...

The API itself is implemented using the the JAX-RS framework Jersey to annotate my MeasurementResource class. Jersey's application servlet is mapped to the path "/api/v1".

@Path("measurement")
@Produces({ MediaType.APPLICATION_JSON })
public class MeasurementResource {    private static Logger logger = LoggerFactory.getLogger(MeasurementResource.class);    @GET    public Response getAllMeasurements()    {        logger.debug("getTemperatures() called");        MeasurementDAO measurementDAO = new MeasurementDAO();        List<Measurement> measurements = measurementDAO.getAllMeasurements();        return Response.ok().entity(measurements).build();    }    @GET    @Path("sensors")    public Response getSensors()    {        logger.debug("getSensors() called");        Collection<Measurement> resultList = new ArrayList<Measurement>();        MeasurementDAO measurementDAO = new MeasurementDAO();        List<String> sensorIDs = measurementDAO.getSensorIDs();        for (String sensorID : sensorIDs) {            Measurement lastMeasurementForSensor = measurementDAO.getLastMeasurementForSensor(sensorID);            resultList.add(lastMeasurementForSensor);        }        return Response.ok().entity(resultList).build();    }    @GET    @Path("sensor/{sensorId}")    public Response getMeasurementsForSensor(@PathParam("sensorId") String sensorId) {        MeasurementDAO measurementDAO = new MeasurementDAO();        List<Measurement> measurementsForSensor = measurementDAO.getSensorMeasurements(sensorId);        return Response.ok().entity(measurementsForSensor).build();    }    @POST    @Consumes(MediaType.APPLICATION_JSON)    public Response addMeasurement(Measurement newMeasurement)    {        logger.debug("addTemperature() called");        MeasurementDAO measurementDAO = new MeasurementDAO();        long measurementId = measurementDAO.addMeasurement(newMeasurement);        return Response.ok().entity(measurementId).build();    }
}

All methods make use of a central Data Access Object (DAO) to read and store the sensor measurements from the HANA DB on HCP. Internally, the DAO consumes the HCP Persistence Service and uses JPA to manage all sensor data in one single table. Only the addMeasurement operation of the API annotated with the @POST resource method is consumed from the sapHCP action in openHAB. The other read-only operations such as getMeasurementsForSensor are actually consumed from the SAP UI5 JSON models in the application's user interface. In order to protect them as well from unauthorized access, the following security constraint to require FORM-based authentication with the account's (SAML) Identity Provider for the API's path "/api/v1/*" is added to the application's web.xml:

  <login-config>    <auth-method>FORM</auth-method>  </login-config>  <security-constraint>    <web-resource-collection>      <web-resource-name>Protected Web UI Area</web-resource-name>      <url-pattern>/dashboard.html</url-pattern>      <url-pattern>/api/v1/*</url-pattern>    </web-resource-collection>    <auth-constraint>      <role-name>Everyone</role-name>    </auth-constraint>  </security-constraint>

To also allow in parallel the consumption of the API's POST-method from openHAB which cannot login with SAML but provides an OAuth access token, the login stack for FORM must be configured in the Cloud Cockpit to include the OAuth 2.0 Login Module:

That's it! The following video shows the end-to-end flow with all components developed and used in this blog series:

• AuthzCode binding and sapHCP action on openHAB
• the openHAB mobile application on my smart phone
• the SAP UI5 application and the OAuth-protected REST API deployed in my HCP trial account
• my SCI tenant for user authentication at the UI5 application and the HCP OAuth 2.0 AS

Hi all,

I am not able to open below link which is being referred in the open sap session on SAP HANA Cloud platform, as I am getting authorization error.

openSAP course guide for repetition of "Introduction to SAP HANA Cloud Platform"

PLease let me know, how can I access this link.

Cheers

VJ

Hello,

I'm developing a SAPUI5 application, so I update it several times a day to see if the application works properly with new features and code updates.

Resently, I started to have problems with application updates.

Usually, I update my app as it is described here: https://help.hana.ondemand.com/help/frameset.htm?60ab35d9edde43a1b38cf48174a3dca2.html, and it worked fine.

Now, after I see that Eclipse says that the application server is "Started and Synchronized", the code of the client side of my app stays as it was before the changes were made (I can see it in the "Network" tab of browser's developer tools).

I tried to restart the app from the cockpit, but it didn't help.

How do I solve this issue?

Thank you,

Yuri.

Hi,

I'm having an issue where the XS interface of a table is sending an Int64 value as a number not a string.

value is appearing in OData feed as:

"d":{"results":[{"__metadata": {"uri":"https://xs01_myaccount.hana.ondemand.com:443/myapp/services/signupmodel.xsodata/signup('<number>')","type":"myapp.services.signupType"},"USER_TYPE":1,"USER_COUNTER":32},{"__metadata": {"uri":"https://xs01_myaccount.hana.ondemand.com:443/myapp/services/signupmodel.xsodata/signup('<number>')","type":"myapp.services.signupType"},"USER_TYPE":3,"USER_COUNTER":1}]}}

where meta data has

<PropertyName="USER_COUNTER"Type="Edm.Int64"/>

The problem is this line in the OData V2 spec:

VJsonInt64    = quotation-mark int64Literal quotation-mark  int64Literal = ; see section 2.2.2

An Int64 is supposed to be contained within quotation marks - but XS is not doing this!

Any suggestions on how to fix this behaviour?

Thanks!

Chris

HI there.........

I am trying to install "SAP HANA Cloud Platform Tools" on eclips luna........

but i t was showing the following errors.......

Cannot complete the install because one or more required items could not be found.

  Software being installed: SAP HANA Cloud Platform Tools for Java 1.44.0 (com.sap.core.tools.eclipse.server.feature.feature.group 1.44.0)

  Missing requirement: SAP HANA Cloud Platform connectivity editor commons 1.14.0 (com.sap.core.tools.eclipse.connectivity.editor.common 1.14.0) requires 'bundle org.eclipse.emf.validation 0.0.0' but it could not be found

  Cannot satisfy dependency:

    From: SAP HANA Cloud Platform connectivity editor 1.14.0 (com.sap.core.tools.eclipse.connectivity.editor 1.14.0)

    To: bundle com.sap.core.tools.eclipse.connectivity.editor.common 0.0.0

  Cannot satisfy dependency:

    From: SAP HANA Cloud Platform connectivity editor 1.14.0 (com.sap.core.tools.eclipse.connectivity.editor.feature.feature.group 1.14.0)

    To: com.sap.core.tools.eclipse.connectivity.editor [1.14.0]

  Cannot satisfy dependency:

    From: SAP HANA Cloud Platform Tools for Java 1.44.0 (com.sap.core.tools.eclipse.server.feature.feature.group 1.44.0)

    To: com.sap.core.tools.eclipse.connectivity.editor.feature.feature.group [1.14.0]

could any one guide me through this issues.....

Thanks in Advance.

Hi Colleagues,

I am getting following error while trying to install hana cloud platform in luna.

I am using eclipse luna, and the addon site is https://tools.hana.ondemand.com/luna

Thanks in advance.

Ashish

This document provides you with information when and where the SAP HANA Cloud Platform is presented at events around the globe.

Upcoming Events 2015

Past Events 2015

Colleagues, hello.

I got access to SAP HANA Cloud Platform and everything was OK during my research.

I made CV and tried to activate it. Here I got a trouble.

My user hasn't necessary authorization.

I read about HCP  stored procedures user but it still isn't clear for me how I can add priviligies to actiovation this calculation view.

Could somebody help me with this issue and provide comparing between HCP stored procedures and usual GRANT command?

Hi all,

I am considering the following scenario:

A javascript based application is deployed on the on premise Netweaver Java system.

It could be a .war/.ear file for instance: thus, a web application mainly consisting in javascript code that consumes OData services.

The idea currently under consideration is how/whether this application could be migrated to the HCP/HTML5 technology.

I'd be interested on whether this makes sense at all, and whether there is any coding convention/best practice that can make an on premise application more suitable for migration to the HTML5 stack.

Anyone could support on this?

Thanks, regards

Vincenzo

Hello HCP Experts,

today i tried to play with HCP (using SAP HANA Cloud Platform Cockpit).

However, it was not possible to create a Trial SAP HANA Instance.

Problem description:

1. Press link "HANA XS Applications"
2. Specify 'myinstance' for instrance name
   (database is HANA XS, version 1.00.73.00.389160)
3. Press Save button

-> After aprox. 15 seconds comes error popup:

Unable to create trial instance 'myinstance': Internal Server Error (500)

Unexpected exception in createSchema() called with account 'XXXXtrial', schema 'myinstance', DB Type 'hanaxs',

DB Version '1.00.73.00.389160', and DB Server 'null'

----

One more interesting thing i noticedin HCP Cockpit:

- if i try to create Trial Instance then HANA version is 1.00.73.00.389160

- if i create new database schema (it works) then HANA version is 1.00.64.382044

-> Do we really use two different HANA systems in HCP (SPS7 for instance and SPS6 for schemas) ?

What is the scenario for such configuration ?

Could you please check and advise how to proceed.

Thank you.

Best Regards,

Yuri

Hello,

I deployed one Java Application in my trial account. Here I implemented the following Servlet:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
URL url = new URL("http://www.google.de");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.connect();

All runs fine. I'm getting HTTPS status 200 and as response the googe site code. .... as expected.

Now I try to call one webService, running on my local PC via myFritz Service... (url modified)

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
URL url = new URL("http://pc.w1abcdefgh29nyk9.myfritz.net:9201/test?function=start");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.connect();

... but getting:

h1. HTTP Status 500 - Server returned HTTP response code: 403 for URL: http://pc.w1abcdefgh29nyk9.myfritz.net:9201/test?function=start

... only via HCP. Calling this URL via browser, all works as expected.

Why is it possible to reach google but not my url? What's wrong? As I understood HCP runs in the open internet and for connecting other services in the internet I do not need any Connectivity Service, right?

Hello Everyone,

Can anyone please let me know which data provisioning/ replication methods can be used to load ECC data in hana instance

on cloud hosted by SAP.

(Developer's account to be precise).

If not SAP Developer's account offered by SAP any other service provider.

I would just like to know the methods supported out of the following:

1)SAP LT Replication Server (SLT)trigger based)

2)SAP Sybase Replication Server (SRS) Log based

3)SAP Sybase Event Stream Processor (ESP)

4)SAP HANA Direct Extractor Connection (DXC)

5)SAP Sybase SQL Anywhere (Data Synchronization- Mobilink)

6)SAP Data Services (DS) with ETL .

From what I have read only data services  with etl is supported with trigger based SLT for SAP DB's.

Kindly respond.

Regards,

Pooja M.

Hi Experts ,

I am getting below issue while review attribute raw data. Did below steps but not working. Seeking your help.

Please guide me on resolving the issue.

Thanks,

Kazi

Hello everybody,

i'm facing issues opening the SAP Web IDE on trial.dispatcher.hanatrial.ondemand.com. I can login into the cockpit & open Web IDE from subscriptions.

After opening the link, the Web IDE stopps at 85/90% of the loading bar.

I've deleted browser cache & tried it with different browser but i'm still not able to get into the Web IDE.

Has anybody a tipp what i could try to get into the Web IDE?

Thank you for your answers.

Kind regards

Michael